[Bro] Surprising behavior when reading packets from file vs interface.

Jim Mellander jmellander at lbl.gov
Sun Sep 26 19:24:53 PDT 2010 

BTW:  I commented out the test I mentioned, and Bro performs as
desired.  Thanks for your assistance.

On Fri, Sep 24, 2010 at 11:41 AM, Jim Mellander <jmellander at lbl.gov> wrote:
> On Fri, Sep 24, 2010 at 11:09 AM, Robin Sommer <robin at icir.org> wrote:
>>
>> On Thu, Sep 23, 2010 at 15:28 -0700, you wrote:
>>
>>> Running 'bro -r' with a tracefile, however, causes bro to not bind to
>>> the broccoli port, thus not communicating with the app - verified
>>> w/netstat.
>>
>> This is actually intentional (because the timing can't be kept in
>> sync between the trace and the (real-time) communication), and
>> pseudo-realtime is indeed the recommended solution.
>
> I gathered that from the code, however pseudo-realtime has its own
> problems with timing.  I, for instance, want to measure the real
> propagation delay and end-to-end processing time between bro and the
> broccoli client in a controlled environment by passing a tracefile
> thru bro to be processed in part via the broccoli client.
>
> So bro sends current_time() to the broccoli client, which then takes a
> timestamp, and can then determine the propagation delay - but
> current_time() is altered by the pseudo-realtime value..  If you want
> to go thru the tracefile as rapidly as possible, you will set
> pseudo-realtime to >1, which messes up current_time(), and thus the
> measurements.  Thus, I have a need to:
>
> 1. run thru a tracefile as rapidly as possible for testing,
> 2. keep the notion of current_time() accurate to wall time, and
> 3. run broccoli
>
> Seems to me a few options can fulfill this:
>
> 1. Remove the test I mentioned
> 2. Have an explicit remote communications flag - probably having
> remote communications be the default, and allow disabling via flag if
> desired.
>
> Anything I'm missing?
>
>
>>
>>> However, I'm not sure this behavior is optimal - there are a number of
>>> bro applications now that may not need to listen to an interface (or
>>> to a file, for that matter), but are strictly broccoli event driven,
>>
>> That's right, but when Bro is started without -r, it should actually
>> work as you'd expect. Communication is only disabled when you give
>> Bro a trace to read from . Are you seeing something different?
>
> I've heard apocryphal stories of needing to have an interface open,
> but that may be due to to old event-loop requiring packets.  Will ask
> around and gather more data.
>
>
>>
>> Robin
>>
>> --
>> Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
>> ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org
>>
>

More information about the Bro mailing list